PIPEDA's New Privacy Consent Guidelines- How to "Beef Up" Your Privacy Policies

Current Legislation for Protection of Personal Information

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is Canada’s privacy legislation.  The objective of PIPEDA is to establish parameters to govern the collection, use and disclosure of personal information in a commercial context in a manner that recognizes privacy rights of individuals in respect of their personal information in a way that balances the needs of organizations to collect, use and disclose personal information in reasonable ways. 

When does PIPEDA apply?  PIPEDA applies to an “organization” when it collects, uses or discloses “personal information” in the course of conducting “commercial activities”.  For clarity, an “organization” includes an association, partnership, person and a trading name. “Personal information” means information about an identifiable individual.  This in essence means that where the identity of a person can be ascertained from the information, that information will be deemed to be personal information for the purposes of PIPEDA.  A “commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character.

PIPEDA creates standards for the use and disclosure of personal information.[1] PIPEDA is based on the twin principles of notice and consent. The collection and use of personal information is only permitted when people are aware that such information is being collected and when they give their informed consent.

While PIPEDA arguably does not directly apply to Condominiums, such a conclusion fails to recognize that the provisions of PIPEDA do apply to organizations that serve condominiums such as property management and security personnel, which are often the ones collecting and handling personal information. Thus, PIPEDA can assist a Condominium with the creation of “best practices” regarding the privacy of unit owners and others; while also being integrated into contracts with suppliers to manage risk exposure.

Condominiums are subject to the Condominium Act, 1998 (the “Act”),[2] together with each individual Condominium’s declaration, by-laws, and rules regarding the collection, storage, use and disclosure of personal information and/or records. Condominiums currently maintain the right to collect and use personal information from owners and occupants when required to fulfill the objects and duties of the Condominium, and shall only use this information for the purposes of the Act. The Act specifically sets out the type of information that Condominiums must collect, for what stated purpose, and for how long such information must be retained.

As it currently stands, the Act addresses many of the same objectives as PIPEDA, for example, access to personal information is only granted to those about whom the information relates.  With that said, however, it is prudent for a Condominium when it is handling sensitive information, such as unit owner health information, to ensure that the Human Rights Policy of the Condominium or its Privacy Policy address methods of ensuring the collection, use and disclosure of personal health information properly.  Thus, boards must be aware of the use of personal information, by whom and when, in the context of a Condominium carrying out its duties and powers under the Act and in accordance with their governing documents.  However, because the Act does not specifically set out or impose a right to confidentiality or privacy, or an obligation or authority to protect same, and because many of the Condominium’s employees are also subject to PIPEDA, each Condominium should develop its own comprehensive Privacy Policy to fill in the gaps.

New Privacy Consent Guidelines

On May 24, 2018, the Office of the Privacy Commissioner of Canada, in conjunction with the Offices of the Information and Privacy Commissioner of Alberta and British Columbia, released guidelines for organizations, which both mandate and suggest steps for obtaining “meaningful” consent in the collection of personal information. The idea is for organizations to take direction from the seven principles set out in the guidelines and develop a more simplistic, easy-to-understand privacy policy and consent process. Enforcement of these guidelines began January 1, 2019.

The seven guiding principles are as follows:

1. Emphasize key elements

Organizations must provide information about their privacy management practices in a form that is readily accessible to individuals who wish to read it; however, due to lack of time and energy, most individuals do not want to read the full policy. To receive meaningful consent, organizations must allow individuals to quickly review key elements impacting their privacy decisions upfront.

For this reason, organizations generally emphasize the following key elements:

1. What personal information is being collected?

This must be done with sufficient precision for individuals to meaningfully understand what they are consenting to.

2. With which parties is personal information being shared?

Disclosures to third parties must be clearly explained, along with the type of information being shared.

3. For what purpose(s) is personal information being collected, used or disclosed?

Purposes must be described in meaningful language and should not be vague. Purposes integral to the provision of the service should be distinguished from those that are not. Organizations should highlight any non-obvious purposes.

4. Risk of harm and other consequences

Under PIPEDA, for consent to be valid, it must be reasonable to expect that individuals understand the consequences of the collection, use or disclosure to which they are consenting – one of these consequences is risk of harm, specifically, residual risks which remain after an organization has applied any mitigation measures designed to minimize the risk and impact of potential harms.

If there is a meaningful risk (i.e. one that falls below the balance of probabilities) that a residual risk will materialize and will be significant, individuals must be notified; otherwise, no notification is necessary.

There is currently no prescribed form in which these elements should be highlighted – organizations are encouraged to adopt standardized mechanisms. The purpose is to make it abundantly clear to individuals when their information is being collected and then provide them with the details upon further inquiry.

A good example of risk of harm in condominiums is that which is created by the installation of security cameras in common areas. Condominiums should post notices in the lobby advising individuals entering the premises that the common elements are monitored to assist in maintaining the safety and security of all residents of the Condominium and that the Condominium’s privacy policy is available for review.  Posting notices will inform users of potential privacy concerns and give them the opportunity to look into the details regarding the collection of footage, which should be contained within a privacy policy and readily available for review. The policy should clearly indicate the integral purpose of collecting data via security camera, such as to prevent theft in the parking garage, and differentiate this from any other use that is not integral. While there are exceptions to the privacy parameters which would trump the parameters under PIPEDA, it is better for Condominium’s to ensure that a policy is available for review and address the exceptions therein.  

2. Allow individuals to control the level of detail they get and when

Information must be provided to individuals in manageable and easily-accessible ways and individuals should be able to control how much more detail they wish to obtain, and when. The level of detail required to make a consent decision will vary by individual and by situation. Presenting information in a layered format or by some method that allows for user-control over the level of detail provided is helpful to individuals.

Information should also remain available to individuals as they engage with the organization. This would include the creation of a privacy policy which users can re-access and review at any time.

3. Provide individuals with clear options to say ‘yes’ or ‘no’

Individuals should only be required to consent to the collection, use or disclosure of personal information that is necessary for the product or service. Individuals should be given a choice (i.e. ‘opt-in’ or ‘opt-out’), unless the collection, use or disclosure of information is a “condition of service” (i.e. is integral to the provision of the product or service).

In the case of surveillance cameras, the use of cameras, if implemented, are considered necessary by the Condominium (and perhaps a majority of owners) for the safety and security of the property and the owners/residents. The footage should only be used for security purposes. If the Condominium wishes to exceed the scope of intended purpose, they will need to get consent from the person whose privacy is being invaded, unless disclosure falls under an exception.

4. Be innovative and creative

Organizations are encouraged to use a variety of communication strategies in the online environment to explain their privacy practices. Condominiums may find it helpful to create an online tool where owners and residents can access information regarding potential invasions of privacy and when consent is necessary and not necessary for owners. This could be as simple as having a Privacy Policy available online for review. The Condominium could provide owners with an outline of the records that are collected from owners, what kind of consent is required, and who else has access to them. For example, most owners do not understand the difference between a personal email and a business email and the protection afforded to each under the Act.

5. Consider the consumer’s perspective

Consent processes should be user-friendly and must provide information that is easy to understand for the organization’s target audience(s). This could be as simple as ensuring that a Privacy Policy is available in the two official Canadian languages and, if the Condominium is aware that number of owners or residents cannot speak English, providing the policy in the language of those individuals.

6. Make consent a dynamic and ongoing process

Organizations should provide some interactive and dynamic way to anticipate and answer users’ questions if the information provided is not clear or gives rise to follow-up questions, for example, regularly updating FAQs.

7. Be accountable: Stand ready to demonstrate compliance

Organizations should be able to demonstrate that they have a consent process in place to obtain consent from individuals and that it is in compliance with the consent obligations set out in legislation. Having a written comprehensive Privacy Policy and consent process in place that is provided to all owners and residents, and ensuring that all employees of the Condominium are trained on how to properly implement it, will ensure that this step is met.

In addition to the aforementioned principles, organizations should also consider the appropriate form of consent. Consent should generally be express, but can be implied in certain circumstances, such as collecting a debt owed by the individual to the organization; when required to comply with a subpoena, warrant or order made by a court; or when required by law, such as the requirements under the Act. Express consent should be obtained when the information being collected, used, or disclosed is sensitive, outside of the reasonable expectations of the individual, and/or creates a meaningful residual risk of significant harm.

The guidelines urge organizations to keep the following in mind when designing a consent process: (i) information collection should be limited to purposes that a reasonable person would consider appropriate in the circumstances; (ii) individuals have the right to withdraw consent, subject to legal or contractual restrictions; and (iii) consent does not waive an organization’s obligations under privacy laws or under the Act.

Ultimately, the new consent guidelines do not change the way information is collected, stored, and disclosed in condominium Condominiums; however, they are helpful in creating or renewing the Condominium’s privacy policy and governing documents. A comprehensive privacy policy will make it clear to all unit owners and residents what information the Condominium is entitled to collect, store and disclose (and whether consent is implied or express), how long it will be kept, and for what purpose(s) it will be used.